OpenVPN client able to connect but no LAN access?

viragomann

pfsensory, so you run a OpenVPN server and client on one pfSense. So pfSense handles firewall rules by just one virtual vpn interface for both, server and client.
To separate it you should add an particular interface for each. Go to Firewall > Interfaces > assign and at "Available network ports" select the server or client for "network port" (ovpns1, ovpnc1) and hit "+".
Then click the new interface to configure it, check enable and give it a name, no further settings.
Now you can assign different firewall rules to each, the server and the client. You also have to set up outbound NAT rules for both.

pfsensory

@viragomann:

pfsensory, so you run a OpenVPN server and client on one pfSense. So pfSense handles firewall rules by just one virtual vpn interface for both, server and client.
To separate it you should add an particular interface for each. Go to Firewall > Interfaces > assign and at "Available network ports" select the server or client for "network port" (ovpns1, ovpnc1) and hit "+".
Then click the new interface to configure it, check enable and give it a name, no further settings.

Yes, I run both a server and a client on 1 pfSense device. I already have an interface for each assigned to network ports: They are called VPNserver and VPNclient.

@viragomann:

Now you can assign different firewall rules to each, the server and the client. You also have to set up outbound NAT rules for both.

This is where I am not sure what I doing is correct (being a complete newb at this), and I would really value some specific guidance (i.e. step by step instructions).

Under firewall rules, I have tabs for (apart from Floating, WAN, LAN): VPNserver , VPNclient , and OpenVPN (interface for Open VPN in general I guess). What specific rules go under which specific tabs? And which rules do I need under NAT?

I am guessing this seems pretty basic to most other people, but being completely new at this and trying to set up what seems (for me) to be a fairly complicated arrangement, I am worried that if I put the wrong rule in the wrong place, I am going to open up a security hole to the outside. So your guidance is very much appreciated!

viragomann

You need just to set the appropriate rule like on other interfaces. That are firewall basics:
https://doc.pfsense.org/index.php/Firewall_Rule_Basics

Yes, the OpenVPN tab is for both, server and client. You'll need no rule at this tab.
You also need no rule on the clients interface, unless you want to permit access from outside over the clients public IP.
But as I understood your post, you use the client just to access internet via PIA. So you will have a firewall rule at LAN interface which directs traffic over the vpn.

On vpn servers tab you add rule to allow your vpn clients to access you internal PCs. If you want you can add an allow any to any rule here. This will only permit the vpn client to access any host inside your LAN and other subnets as well as the internet, but it will permit nothing coming in through your pfSense vpn client connection.

You will also have to add outbound NAT rules for vpn. For your client you will have already one as you said, it's already working. But since you now have a particular vpn client interface, ensure its inteface is set correctly.
If you want to access internet from your vpn clients connected to your server, you will also need an outbound NAT rule for this with interface WAN, source = vpn server tunnel network, destination = any an NAT address = interface address.

For better understanding you should post screenshots of the rules you actually have. Firewall and outbound NAT rules.

pfsensory

What I decided to do was revert my pfSense box to a backup (before I started messing around with this), and redo everything again. Now everything is working great.

One question though - I am using a tun connection, which is working fine for my purposes except for one issue. I use Syncthing, and I would like to be able to have it sync files when I am connected to the network via VPN. However, because Syncthing accesses devices by IP addresses, and the VPN client device now shows up under a different subnet (10. for the VPN client, 192.168. for the main LAN), the syncing devices do not see each other. Is there some way I can get these to connect?

And one more question - this time when I set things up (using the VPN wizard), no interfaces got assigned to ovpns1 or ovpns2, and there are no corresponding tabs under the Firewall rules (although rules were set up for me at the end of the wizard), unlike when I did everything manually last time. Everything seems to be working fine, but should there be something there?

viragomann

@pfsensory:

I use Syncthing, and I would like to be able to have it sync files when I am connected to the network via VPN. However, because Syncthing accesses devices by IP addresses, and the VPN client device now shows up under a different subnet (10. for the VPN client, 192.168. for the main LAN), the syncing devices do not see each other. Is there some way I can get these to connect?

You want to sync file between vpn server and client side, or between to clients?
A drawing would be helpful for understanding your aims.

@pfsensory:

this time when I set things up (using the VPN wizard), no interfaces got assigned to ovpns1 or ovpns2, and there are no corresponding tabs under the Firewall rules (although rules were set up for me at the end of the wizard), unlike when I did everything manually last time. Everything seems to be working fine, but should there be something there?

The interfaces are not created by the wizard and are not essential in any circumstances.
However, if you setup a PIA client, a client interface will be needed.

pfsensory

I want the computer connecting to my LAN via VPN (let's call it "external computer") to be able to sync with other computers on my LAN (not the pfSense box) (let's call these "internal computers").

As for my prior post, I was only referring to setting up the VPN server. I still have VPN client running as well (as a client of PIA Open VPN). Connections coming into my pfSense OpenVPN server are not to be routed out the PIA gateway - they get routed out from my ISP gateway.

pfsensory

Somehow my problem getting Syncthing clients seems to have fixed itself, with no apparent intervention on my part. A strange (but welcome) development.

pfcode

Are you talking about redirecting all traffic indented for local networks to the VPN? the source local networks are conflicting with your host (pfSense) local networks.

your external computer (10.0.xxx.yyy) is connected via a LAN (192.168.1.xxxx) of a router -> Internet -> modem->pfSense (OpenVPN Server) -> internal computer (LAN 192.168.1.xxxx)

What I did was adding: push "route 192.168.1.0 255.255.255.0" at the Advanced Configuration of OpenVPN Server

pfsensory

I don't think it was an IP address conflict, because the LAN addresses on my pfSense use an unusual address that is not likely to be used on other networks (192.168.107.0/24)

At any rate, syncthing has kept working over the VPN since my last post, so problem apparently solved.

gtj

@pfsensory:

What I decided to do was revert my pfSense box to a backup (before I started messing around with this), and redo everything again. Now everything is working great.

One question though - I am using a tun connection, which is working fine for my purposes except for one issue. I use Syncthing, and I would like to be able to have it sync files when I am connected to the network via VPN. However, because Syncthing accesses devices by IP addresses, and the VPN client device now shows up under a different subnet (10. for the VPN client, 192.168. for the main LAN), the syncing devices do not see each other. Is there some way I can get these to connect?

And one more question - this time when I set things up (using the VPN wizard), no interfaces got assigned to ovpns1 or ovpns2, and there are no corresponding tabs under the Firewall rules (although rules were set up for me at the end of the wizard), unlike when I did everything manually last time. Everything seems to be working fine, but should there be something there?

Hello.
We have a similar setup running both OpenvPn Server and a PIA client and I was hoping you could share your settings as I can't get them to work together…. That would be greatly appreciated as it seems I'm not getting any support from anywhere for such a common thing.